Cyber insurance at a crossroads: complexity, contingency and catastrophe

The cyber insurance market is undergoing a fundamental transformation, evolving from its roots in data breach liability to become a complex, multi-faceted response mechanism for a constantly shifting digital threat landscape.

That was the view from industry leaders at a recent cyber insurance panel, hosted by AdvantageGo, the second in a quarterly series of such events, at which two leading cyber insurance experts debated the expanding scope — and mounting challenges — of cyber cover.

“Cyber insurance has always been reactive,” said Shannan Fort, International Cyber Product Leader at Marsh. “The product is constantly having to play catch-up with technology and the changing nature of cyber threats.”

Fort noted that in its early days, the cyber market was laser-focused on privacy liability, particularly in the United States, where litigation culture and regulatory regimes drove demand.

“You could almost track the cover with litigation and regulatory changes,” she said, pointing to the rise of incident response coverage as a shift towards more proactive mitigation.

James Tuplin, Head of International Cyber at Mosaic Insurance, offered a complementary perspective from the underwriting side.

“The policy language got broader and broader, but underwriting lagged behind,” he said. “Everyone was making money and selling the product — until ransomware hit.”

Both panellists agreed that ransomware has been a critical inflection point.

Fort observed that while clients have long recognised the seriousness of the threat, the market’s contraction a few years ago prompted a more disciplined focus on resilience and controls.

“Contrary to popular belief, the first port of call for clients is not to pay threat actors,” she stressed. “Nobody wants to reward criminal behaviour — that is always a last resort.”

Tuplin reflected on how ransomware changed the underwriting approach.

“The coverage was there, but we didn’t know what questions to ask,” he said. “We had to go back and figure out: what is this risk, how does it manifest, what are the controls that make it insurable?”

The conversation then turned to the growing complexity of cyber cover, particularly in relation to business interruption (BI) and contingent business interruption (CBI).

Tuplin expressed unease with the growing push to incorporate wider risks into a single cyber policy. “Effectively, clients want it to be an ‘all-risks’ policy,” he said.

“Lovely in theory, but if a cyber event causes property damage or involves terrorism, I have to understand how all of that plays out. It becomes impossible to underwrite well.”

Fort pushed back on the idea that a single policy should do everything.

“We don’t expect one policy to respond to every impact of a fire — why would we expect that for cyber?” she argued. “We’ve allowed traditional markets to offload cyber risks by excluding them, but that doesn’t mean we should stretch the cyber policy to compensate for that.”

Their debate intensified around contingent BI and supply chain risk — widely acknowledged as among the thorniest issues in cyber underwriting.

Tuplin cited the opacity of supply chains beyond tier-one suppliers as a major challenge. “We don’t have enough visibility,” he admitted.

Fort countered that she thought underwriters have been overcomplicating the problem.

“You’re underwriting the insured’s resilience,” she said. “Not every risk comes down to knowing every supplier’s supplier. The question is: how quickly can the insured respond and recover?”

That theme of resilience became a touchstone throughout the panel, especially in the context of systemic risk and “cyber catastrophe” events.

CrowdStrike’s widespread service outage last year — a reminder that even cybersecurity vendors are not immune — was highlighted as an example of the market’s vulnerability.

Tuplin described such events as wake-up calls for underwriters. “We know systemic risk exists, but we don’t know what’s next,” he said. “Each mini-catastrophe gives us new data points. We don’t have 700 years of cyber history, but we’re building that understanding incident by incident.”

Fort added that while such events are concerning, they have also shown the cyber market’s capacity for rapid recovery.

“This isn’t a natural disaster. It’s not a volcano you can’t fix in 12 hours. There are no geographical limits in cyber, but the resolution can be swifter. That’s a powerful differentiator,” she said.

As the market grows in complexity and scope, the need for continued evolution — on both the underwriting and broking sides — was clear.

What remains uncertain is whether cyber insurance can ever be a catch-all safety net, or whether its strength lies in well-defined boundaries and collaborative risk management.